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Abstract. We give an optimal (exptime), sound and complete tableau- 
based algorithm for deciding satisfiability for propositional dynamic logic 
with converse (CPDL) which does not require the use of analytic cut. Our 
main contribution is a sound method to combine our previous optimal 
method for tracking least fix-points in PDL with our previous optimal 
method for handling converse in the description logic ALCI. The exten- 
sion is non-trivial as the two methods cannot be combined naively. We 
give sufficient details to enable an implementation by others. Our OCaml 
implementation seems to be the first theorem prover for CPDL. 



1 Introduction 

Prepositional dynamic logic (PDL) is an important logic for reasoning about pro- 
grams. Its formulae consist of traditional Boolean formulae plus "action modali- 
ties" built from a finite set of atomic programs using sequential composition (; ), 
non-deterministic choice (U), repetition (*), and test (?). The logic CPDL is ob- 
tained by adding converse (~), which allows us to reason about previous actions. 
The satisfiability problem for CPDL is EXPTiME-complete [1]. 

De Giacomo and Massacci [2] give an nexptime tableau algorithm for decid- 
ing CPDL-satisfiability, and discuss ways to obtain optimality, but do not give an 
actual EXPTIME algorithm. The tableau method of Nguyen and Szaias [3] is op- 
timal. Neither method has been implemented, and since both require an explicit 
analytic cut rule, it is not at all obvious that they can be implemented efficiently. 
Optimal game-theoretic methods for fix-point logics [4] can be adapted to han- 
dle CPDL [5] but involve significant non-determinism. Optimal automata-based 
methods [6] for fix-point logics are still in their infancy because good optimisa- 
tions are not known. We know of no resolution methods for CPDL. 

We give an optimal tableau method for deciding CPDL-satisfiability which 
does not rely on a cut rule. Our main contribution is a sound method to combine 
our method for tracking and detecting unfulfilled eventualities as early as possible 
in PDL [7] with our method for handling converse for ALCI [8]. The extension 
is non-trivial as the two methods cannot be combined naively. 



* NICTA is funded by the Australian Government's Department of Communications, 
Information Technology and the Arts and the Australian Research Council through 
Backing Australia's Ability and the ICT Centre of Excellence program. 



Table 1. Smullyan's a- and ,8-notation to classify formulae 
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We present a mixture of pseudo code and tableau rules rather than a set of 
traditional tableau rules to enable easy implementation by others. Our unopti- 
mised OCaml implcnncsntation appears to be the first automated theorem prover 
for CPDL (http : //rsise . anu . edu . au/~rpg/CPDLTabProver/). The proofs can 
be found in the appendix. 

2 Syntactic Preliminaries 

Definition 1. Let AFml and APrg he two disjoint and countably infinite sets 
of propositional variables and atomic programs, respectively. The set LPrg of 
literal programs is defined as LPrg :— APrg U {a~ \ a € APrg}. The set Fml of 
all formulae and the set Prg of all programs are defined mutually inductively as 
follows where p e AFml and I € LPrg.- 

Fml (/5 .•;= p I ^ip \ ip A (f \ (fV (fi \ {'-f)ip \ [y](p 
Prg 7 .•;= ; I 7; 7 I 7 U 7 I 7* I V5? . 
A {Ip) -formula is a formula {'y)ip where 7 e LPrg is a literal program. 

Implication (— and equivalence (■f->^) are not part of the core language but 

can be defined as usual. In the rest of the paper, let p G AFml and I G LPrg. 

We omit the semantics as it is a straightforward extension of PDL [7] and 
write M, w \\- (p if (p G Fml holds in the world w gW of the model M. 

Definition 2. For a literal program I G LPrg, we define l"' as a if I is of 
the form a~ , and as l~ otherwise. A formula (p G Fml is in negation normal 
form if the symbol appears only directly before propositional variables. For ev- 
ery G Fml, we can obtain a formula nnf(y>) in negation normal form by pushing 
negations inward such that y -f-)- nnf ip is valid. We define ~y> := nnf(-i(^). 

We categorise formulae as a- or ^-formulae as shown in Table 1 so that the 

formulae of the form a o ai A a2 and /3 ^ /3i V /32 are valid. An eventuality is a 
formula of the form (71) . . . {'yk){l*)'P, and Ev is the set of all eventualities. Using 
Table 1, the binary relation relates a ()-formulae a (respectively /?), to its 
reduction ai (respectively /3i and ^2)- See [7, Def. 7] for their formal definitions. 

3 An Overview of our Algorithm 

Our algorithm builds an and-or graph G by repeatedly applying four rules (see 
Table 2) to try to build a model for a given (j) in negation normal form. Each 
node X carries a formula set F^, a status sts^;, and other fields to be described 
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shortly. Rule 1 applies the usual expansion rules to a node to create its children. 
Thcisc! expansion rules capture the semantics of CPDL. We use Smullyan's a//3- 
rule notation for classifying rules and nodes. As usual, a node a: is a ( "saturated" ) 
state if no a//3-rule can be applied to it. If x is a state then for each (?)^ in F^, 
we create a node y with Fy = {^} U A, where A = {^p \ £ F^} , and add an 
edge from x to y labelled with (Z)^ to record that y is an /-successor of x. 

If Fx contains an obvious contradiction during expansion, its status becomes 
"closed", which is irrevocable. Else, at some later stage. Rule 2 determines its 
status as either "closed" or "open" . "Open" nodes contain additional information 
which depends on the status of other nodes. Hence, if a node changes its status, 
it might affect the status of another ( "open" ) node. If the stored status of a node 
does not match its current status, the node is no longer up-to-date. Rule 3, which 
may be applied multiple times to the same node, ensures that "open" nodes are 
kept up-to-date by recomputing their status if necessary. Finally, Rule 4 detects 
eventualities which are impossible to fulfil and closes nodes which contain them. 
We first describe the various important components of our algorithm separately. 

Global State Caching. For optimality, the graph G never contains two state 
nodes which carry the same set of formulae [8]. However, there may be multiple 
non-states which carry the same set of formulae. That is, a non-state node x 
carrying F which appears while saturating a child y of a state z is unique to y. 
If a node carrying F is required in some other saturation phase, a new node 
carrying F is created. Hence the nodes of two saturation phases are distinct. 

Gonverse. Suppose state y is a descendant of an /-successor of a state .t, with no 
intervening states. Call x the parent state of y since all intervening nodes are not 
states. We require that {tp \ [l~]il> € Fy} C Fj., since y is then compatible with 
being a /-successor of .t in the putative model under construction. If some [l~]ip G 
Fy has ^ ^ Fx then x is "too small" , and must be "restarted" as an alternative 
node x+ containing all such ij). If any such xp is a. complex formula to which an 
a//3-rule is applicable then x"*" is not a state and may have to be "saturated" 
further. The job of creating these alternatives is done by special nodes [8]. Each 
special node monitors a state and creates the alternatives when needed. 

Detecting Fulfilled and Unfulfilled Eventualities. Suppose the current node x 
contains an eventuality e^,. There are three possibilities. The first is that e^ can 
be fulfilled in the part of the graph which is "older" than x. Else, it may be 
possible to reach a node z in the parts of the graph "newer" than x such that z 
contains a reduction Bz of e^,. Since this "newer" part of the graph is not fully 
explored yet, future expansions may enable us to fulfil Cx via z, so the pair (z, Cz) 
is a "potential rescuer" of e^. The only remaining case is that cannot be 
fulfilled in the "older" part of the graph, and has no potential rescuers. Thus 
future expansions of the graph cannot possibly help to fulfil Cx since it cannot 
reach these "newer" parts of the future graph. In this case x can be "closed" . The 
technical machinery to maintain this information for PDL is from [7]. However, 
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the presence of "converse" and the resulting need for alternative nodes requires 
a more elaborate scheme for CPDL. 

4 The Algorithm 

Our algorithm builds a directed graph G consisting of nodes and directed edges. 
We first explain the structure of G in more detail. 

Definition 3. Let X and Y be sets. We define := Xtt){_L} where _L indicates 
the undefined value and l±) is the disjoint union. If f : X ^ Y is a function 

and X G X and y £ Y then the function /[x M- y] : X Y is defined as 
f[x H- > y]{x') := y if x' = x and f[x M> y]{x') := f{x') if x' ^ x. 

Definition 4. Let G = (V, E) be a graph where V is a set of nodes and E is 
a set of directed edges. Each node x G V has six attributes: C Fml, ann^; : 
Ev — !> Fml"'", pst^ £ V-^ , ppr^. G LPrg^, idxj; G Nat-^, and sts^ G & where & := 
{unexp, undef } U {closed(alt) | alt C J^(Fml)} U {open(prs, alt) | prs : Ev 
{^{V X Ev))-^ & alt C ^(Fml)}. Each directed edge e € E is labelled with a 
label le G (Fml U ^(Fml) U {cs})-"- where cs is just a constant. 

All attributes of a node x G V are initially set at the; crciation of possibly 
with the value _L (if allowed). Only the attributes idx^ and stSx are changed 
at a later time. We use the function create-new-node(r, ann, pst, ppr, idx, sts) to 
create a new node and initialise its attributes in the obvious way. 

The finite set contains the formulae which are assigned to x. The at- 
tribute anua; is defined for the eventualities in F^ at most. If aimxlf) = (p' 
then if' G Fx and (p ip' . The intuitive meaning is that (p has already been 
"reduced" to ip' in x. For a state (as defined below) we always have that ann^; 
is undefined everywhere since we do not need the attribute for states. 

The node x is called a state iff both attributes pst^ and ppr^ are undefined. 
For all other nodes, the attribute pst^, identifies the, as we will ensure, unique 
ancestor p eV oi x such that p is a state and there is no other state between p 
and X in G. We call p the parent state of x. The creation of the child of p which 
lies on the path from p to x (it could be x) was caused by a (Ip)-formula (l)ip 
in Fp. The literal program I which we call the parent program of x is stored 
in ppr^. Hence, for nodes which are not states, both pst^ and ppr^ are defined. 

The attribute stSx describes the status of x. Unlike the attributes described 
so far, its value may be modified several times. The value unexp, which is the 
initial value of each node, indicates that the node has not yet been expanded. 
When a node is expanded, its status becomes either closed(-) if it contains an 
immediate contradiction, or undef to indicate that the node has been expanded 
but that its "real" status is to be determined. Eventually, the status of each 
node is set to either closed(-) or open(-, •). If the status is open(-, •), it might be 
modified several times later on, either to closed(-) or to open(-, •) (with different 
arguments), but once it becomes closed(-), it will never change again. 

We call a node undefined if its status is unexp or undef and defined oth- 
erwise. Hence a node is undefined initially, becomes defined eventually, and 
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then never becomes undefined again. Furthermore, we call x closed iff its status 
is closed(alt) for some alt C ^(Fml). In this case, we define alt^; := alt. We 
call X open iff its status is open(prs, alt) for some prs : Ev — >• (^(F x Ev))-"- 
and some alt C ^(Fml). In this case, we define prs^, := prs and alt^ := alt. To 
avoid some clumsy case distinctions, we define altj; := if x is undefined. 

The value closed(alt) indicates that the node is "useless" for building an 
interpretation because it is either unsatisfiable or "too small". In the latter 
case, the set alt of alternative sets contains information about missing formulae. 
Finally, the value open(prs, alt) indicates that there is still hope that x is "useful" 
and the function prs^, contains information about each eventuality e^ & as 
explained in the; overview. Although x itself may be useful, we need its alternative 
sets in case it becomes closed later on. Hence it also has a set of alternative sets. 

The attribute idx^, serves as a time stamp. It is set to _L at creation time of x 
and becomes defined when x becomes defined. When this happens, the; value 
of idxx is set such that idx^ > idx^ for all nodes y which became defined earlier 
than x. We define y \Z x \S idx^ ^ _L and either idxa, = _L or idxj^ < idx^. Note 
that y \Z X depends on the current state of the graph. However, once y \Z x 
holds, it will do so for the rest of the time. 

To track eventualities, we label an edge between a state and one of its chil- 
dren by the (Ip)-formula {l)cp which creates this child. Additionally, we label 
edges from special nodes (see overview) to their corresponding states with the 
marker cs. We also label edges from special nodes to its alternative nodes with 
the corresponding alternative set. 

Definition 5. Let ann-^ : Ev Fml^ and prs-^ : Ev -)■ {^{V x Ev))-^ be the 

functions which are undefined everywhere. For a node x E V and a label I G 
FmlU .^^(Fml) U {cs}, let getChild(x, /) be the node y € V such that there exists 
an edge e G E from x to y with Ig = I- If y does not exists or is not unique, let 
the result be _L. For a function prs : Ev — {£^{y x Ev))^, a node x G V , and an 
eventuality ip € Ev, we define the set reach(prs, x, (p) of eventualities as follows: 

reach(prs, x, ip) := |V' G Ev | 3A: G INq. 3ipo, . . .,ipk G Ev. {ip = tpk ^ 

{x, ipo) G prs((^) & Vi G {0, . . . , A; - 1}. {x, v?i+i) G prs(i^i)) | . 

The function defer : F x Ev — >■ Fml""" is defined as follows: 

i> if 3k G INq. 3(fo, ...,ipk G Fml. (^ipo ^ (p k ipk = ip &z 
Vi G {0, . . . , A; - 1}. (ipi G Ev & a.nii^{ipi) = (pi+i) & 
[tpk ^ Ev or aimx{ipk) = -L) 
_L otherwise. 



defer(x, lyj) := < 



The function getChild(x, /) retrieves a particular child of x. It is easy to see 
that, during the algorithm, the child is always unique if it exists. 

Intuitively, the function reach(prs, x, ip) computes all eventualities which can 
be "reached" from pi inside x according to prs. If a potential rescuer {x, ip) is 
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Procedure is-sat for testing whether a formula (j) is satisfiable 



Input: a formula 4> € Fml in negation normal form 
Output: true iff </> is satisfiable 

G := a new empty graph; idx := 1 

let d € APrg be a dummy atomic program which does not occur in 
rt := crcate-new-node({(d)0}, ann-"-, _L, _L, _L,\mexp) 

insert rt in G 

while one of the rules in Table 2 is applicable do 

|_ apply any one of the applicable rules in Table 2 
if stSrt = open(-, •) then return true else return false 



Table 2. Rules used in the procedure is-sat 

Rule 1: Some node x has not been expanded yet. 
Condition: 3x G V. stSx = unexp 
Action: expand(a::) 

Rule 2: The status of souu; node x is still undefined. 
Condition: 3a; £ V. stSx = undef 

Action: stSx := det-status(a;) & idx^, := idx & idx := idx + 1 

Rule 3: Some open node x is not up-to-date. 
Condition: 3x G V. open(-, ■) = stSx 7^ det-status(a;) 
Action: stSx := det-status(a;) 

Rule 4: All nodes axe up-to-date, and some x has an unfulfilled eventuality ip. 
Condition: Rule 3 is not applicable and 

3x G V. stSx = open(prs^, alta;) &i 3ip € Ev D Fx. prs^(<^) = 
Action: stSa: := closed(alta:) 



contained in pis{(p), the potential rescuers of tp are somehow relevant for ip at x. 
Therefore ip itself is relevant for at x. The function reach(prs, x, ip) computes 
exactly the transitive closure of this relevance relation. 

Intuitively, the hmction dcfcr(.T, ip) follows the "annaj-chain" . That is, it com- 
putes Lpi :— aimx{ip), Lpi &m\x(ip\), and so on. There are two possible out- 
comes. The first outcome is that we eventually encounter a t^fc which is either not 
an eventuality or has w^r^x(ipk) = -L- Consequently, we cannot follow the "anuj,- 
chain" any more. In this case we stop and return defer(x, (p) := (pk- The second 
outcome is that we can follow the "anuaj-chain" indefinitely. Then, as is finite, 
there must exist a cycle ipo, . . . ,ipmipo of eventualities such that annx((^i) = ^i+i 
for all < i < n, and a,imx{(pn) = p>o- In this case we say that x (or Fx) contains 
an "at a world" cycle and return defer(a;, (^) := _L. 

Next we comment on all procedures given in pseudocode. 
Procedure is-sat (^) is invoked to determine whether a formula (f) € Fml in 
negation normal form is satisfiable. It creates a root node rt and initialises the 
graph G to contain only rt. The dummy program d is used to make rt a state 
so that each node in G which is not a state has a parent state. The global 
variable idx is used to set the time stamps of the nodes accordingly. 
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While at least one of the rules in Table 2 is applicable, that is its condition 
is true, the algorithm applies any applicable rule. If no rules are applicable, the 

algorithm returns satisfiable iff rt is open. 

Rule 1 picks an unexpanded node and expands it. Rule 2 picks an expanded 
but undefined node and computes its (initial) status. It also sets the correct time 
stamp. Rule 3 picks an open node whose status has changed and recomputes its 
status. Its meaning is, that if we compute det-status(a;) on the current graph 
then its result is different from the value in sts^, and consequently, we update sts^; 
accordingly. Rule 4 is only applicable if all nodes are up-to-date. It picks an open 
node containing an eventuality Lp which is currently not fulfilled in the graph and 
which does not have any potential rescuers either. As this indicates that can 
never be fulfilled, the node is closed. 

This description leaves several questions open, most notably: "How do we 
check efficiently whether Rule 3 is applicable?" and "Which rule should be taken 
if several rules are applicable?". We address these issues in Section 5. 
Procedure expand(a;) expands a node x. If contains an immediate contradic- 
tion or an "at a world" cycle then we close x and set the time stamp accordingly. 
For the other cases, we assume! implicitly that does not contain either of these. 

If a; is a state, that is pst^, = _L, then we do the following for each (Ip)- 
formula We create a new node yi whose associated set contains (fi and 

all ip such that [li]ip G F^. As none of the eventualities in Fy. is reduced yet, there 
are no annotations. The parent state of ?/, is obviously x and its parent program 
is li. In order to relate yi to {li)(pi, we label the edge from x to yi with {li)(pi. 
We call yi the successor of {li)^pi. 

If X is not a state and Fx contains an a-formiila a whose decompositions 
are not in F^, or which is an unannotated eventuality, we call x an a -node. In 
this case, wc; create a new node y whose associated set is the result of adding 
all decompositions of a to F^. If a is an eventuality then anUj, extends aniix by 
mapping a to ai. The parent state and tlie parent program of y are inherited 
from X. Note that pst^. and ppr^ are defined as x is not a state. Also note 
that Fy D Fx or a is an eventuality which is annotated in ann^, but not in ann^;. 

If X is neither a state nor an a-node and F^ contains a /3-formula /3 such that 
neither of its immediate subformulae is in F^, or such that (3 is an unannotated 
eventuality, wc call x a p-node. For each decomposition Pi wc do the following. 
We create a new node yi whose associated set is the result of adding (3i to F^. 
If /3 is an eventuality then ann^^ extends ann^, by mapping a to Pi. The parent 
state and the parent program of y arc inherited from x. Note that pst^. and ppr^ 
are defined as x is not a state. Also note that Fy. ^ Fx or P is an eventuality 
which is annotated in ann^^. but not in ann^;. 

If X is neither a state nor an a-node nor a /3-nodc, it must be fully saturated 
and we call it a special node. Intuitively, a special node sits between a saturation 
phase and a state and is needed to handle the "special" issue arising from con- 
verse programs, as explained in the overview. Like a- and /3-nodcs, special nodes 
have a unique parent state and a unique parent program. In this case we check 
whether there already exists a state y in G which has the same set of formulae 
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Procedure expand (a;) for expanding a node x 

Input: a node x €V with stSa, = unexp 

if 3ip € Fx- ~ if € Fx or- {ip G Ev & defer(a:, (fi) — _L) then 
|_ idxa; := idx; idx := idx + 1; sts^ := closed(0) 

else (* X docs not contain a contradiction *) 
stSx := undef 

if pst^ = 1. then (* x is a state *) 

let . . . , {lk)'Pk be all of the (Ip)-formulae in Fx 

for i i — 1 to fe do 

Fi := U {iP I e Fx} 

yi :— crcatc-now-nodc(r'i, ann"'", x, U, ±, unexp) 

insert y,, and an edge from x to t/i labelled with {li)f>i, into G 

else if 3q € Fx- {ai, . . . , a^} g Fx or (a € Ev & ann3;(a) = ±) then 
r — Au{ai,...,Qfc} 

ann := if a G Ev then ann2;[a i— > ai] else ann^, 
y := create-new-node(r', ann, pst^, ppr^, _L, iinexp) 
insert y, and an edge from x to j/, into G 
else if 3/3 € Fx. {^1,^2} D Fx = <D or {/S € Ev &l ann^(/3) = ±) then 
for i < — 1 to 2 do 
Fi := Fx U {/3i} 

anni := if /? € Ev then ann^f^fl 1— >■ else ann^; 
j/i := create-new-node(r'i, anni, pst^, ppr^, _L, xmexp) 
|_ insert yt, and an edge from a; to yi, into G 

else (* X is a special node *) 

if 3y £V.Fy = Fx&i psty = -L then (* state already exists in G *) 

I insert an edge from x to y labelled with cs into G 
else (* state does not exist in G yet *) 

y := create- new-node(r'a:, ann^, _L, _L, _L, unexp) 
|_ insert y, and an edge from x to y labelled with cs, into G 



as the special node. If such a state y exists, wc link x to y; else wc create such a 
state and hnk x to it. In both cases we label the edge with the marker cs since 
a special node can have several children (see below) and we want to uniquely 
identify the cs-child y of x. Note that there is only at most one state for each set 
of formulae and that states are always fully saturated since special nodes are. 
Procedure det-status(a;) determines the current status of a node x. Its result 
will always be closed(-) or open(-, •). If a; is an a/ jS-nodc or a state, the procedure 
just calls the corresponding sub-procedure. If a; is a special node, we determine 
the set Fait of all formulae <f such that [ppr^ji^ is in but (p is not in the set of 
the parent state of x. If there is no such formula, that is I^it is the empty set, we 
say that x is compatible with its parent state pst^,. Note that incompatibilities 
can only arise because of converse programs. 

If X is compatible with pst^., all is well, so wc determine its status via the 
corresponding sub-procedure. Else we cannot connect pst^, to a state with 
assigned to it in the putative model as explained in the overview, and, thus, we 
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Procedure det-statusCx) for determining the status of a node x 
Input: a node x €V with imexp ^ stSx =/= closed(-) 

if X is an a-or a /3-node then sts^ := det-sts-/3(a;) 
else if a; is a state then sts^, := det-sts-state(a;) 
else (* X is a special node, in particular pst^ / -L / PP^x *) 
Alt — {v> I [ppr;;](^ e Fx} \ -Tpst, 

if Fgit = then stSa; := det-sts-spl(a;) else stSx ■= closed(_rait) 



Procedure det-sts-/3 (x) for determining the status of an a- or a /3-node 

Input: an a- or a ^-node x €V with iinexp ^ stSx ^ closed(-) 
Output: the new status of x 

let yi , . . . , j/fc e 1^ be all children of x 

alt ■— U*=i alty. 

if Vi G {1, . . . , k}. stSy^ = closed(-) then return closed(alt) 
else (* at least one child is not closed *) 
prs := prs""" 

foreach ip £ Fx Cl Ev do 

for i i — 1 to k do Ai := det-prs-child(a;, j/i, 95) 

A := if 3t e {I, . . . .k}. Ai = 1. then ± else U*=i 

prs := prs[v9 i->- A] 
prs' := f ilter(a;, prs) 
return open(prs', alt) 



can close x. That does not, however, mean that pst^. is unsatisfiable; maybe it 
is just missing some formulae. We cannot extend pst^, directly as this may have 
side-effects elsewhere; but to tell pst^ what went wrong, wc remember -Tait- The 
meaning is that if we create an alternative node for pst^, by adding the formulae 
in rijit , we might be more successful in building an interpretation. 
Procedure det-sts-/3{x) computes the status of an a- or a /3-nodc x e V. For 
this task, an a-node can be seen as a /3-node with exactly one child. The set of 
alternative sets of x is the union of the sets of alternative sets of all children. If 
all children of x arc closed then x must also be closed. Otherwise wc compute the 
set of potential rescuers for each eventuality (p in as follows. For each child yi 
of x we determine the potential rescuers of which result from following yi by 
invoking det-prs-child. If the set of potential rescuers corresponding to some j/j 
is _L then (f can currently be fulfilled via yi and pvs^{(p) is set to _L. Else cannot 
currently be fulfilled in G, but each child returned a set of potential rescuers, and 
the set of potential rescuers for (p is their union. Finally, we deal with potential 
rescuers in prs of the form [x, x) for some x G Ev by calling filter. 
Procedure det-sts-state(a;) computes the status of a state x gV. We obtain 
the successors for all (Ip)-formulae in Fx. If any successor is closed then x is closed 
with the same set of alternative sets. Else the set of alternative sets of x is the 
union of the sets of alternative sets of all children and we compute the potential 
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Procedure det-sts-state(a;) for determining the status of a state 



Input: a state x €V with unexp ^ stSa, ^ closed(-) 
Output: the new status of x 

let {li)ipi, ■ ■ ■ , {Ikj'fk be all of the {lp)-formulae in 

for i i — 1 to A; do yi := getChild(a;, {li)'Pi) 

if 3i G {1, . . . , fc}. stSy. — closed(alt) then return closed(alt) 

else (* no child is closed *) 

alt := Ufci altj;, 
prs :— prs^ 
for i < — 1 to k do 
if ifi £ Ev then 

A := det-prs-child(x, yi, ifii) 
|_ prs := prs[(li)<fii >->■ A] 

prs' := f ilter(a:, prs) 
return open(prs', alt) 



rescuers for each eventuality {li)(pi in by invoking det-prs-child. Finally, 

we deal with potential rescuers in prs of the form (x, x) for some x G by 
calling filter. Note that we do not consider eventualities which are not (Ip)- 
formulae. The intuitive reason is that the potential rescuers of such eventualities 
are determined by following the annotation chain (see below). However, different 
special nodes which have the same set, and hence all link to x, might have 
different annotations. Hence we cannot (and do not need to) fix the potential 
rescuer sets for eventualities in x which arc not (Ip)-formulac. 
Procedure det-sts-spl(a;) computes the status of a special node x gV. First, 
we retrieve the state yo corresponding to x, namely the unique cs-child of x. For 
all alternative sets Fi of yo wc do the following. If there docs not exist a child 
of X such that the corresponding edge is labelled with Tj, we create a new 
node Ui whose associated set is the result of adding the formulae in F^ to F^. 
The annotations, the parent state, and the parent program of yi arc inherited 
from X. We label the new edge from x to yi with Tj. In other words we unpack 
the information stored in the alternative sets in alt^o into actual nodes which are 
all children of x. Note that each 7^; 7^ by construction in det-status. Some 
children of x may not be referenced from alty^ , but we consider them anyway. 

The set of alternative sets of x is the union of the sets of alternative sets 
of all children; with the exception of yo since the alternative sets of yo are not 
related to pst^ but affect x directly as we have seen. If all children of x are closed 
then X must also be closed. Otherwise we compute the set of potential rescuers 
for each eventuality (p in F^ as follows. 

First, we determine (p' := defei{x,(fi). Note that is defined because the 
special node x cannot contain an "at a world" cycle by definition. If ip' is not 
an eventuality then (p' is fulfilled in x and prs((/?) remains ±. If (p' is an even- 
tuality, it must be a (Ip)-formula as a; is a special node. We use instead of cp 
since only (Ip)-formula have a meaningful interpretation in prs^^^ (see above). 
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Procedure det-sts-spKx) for determining the status of a special node 



Input: a special node x €V with imexp ^ stSa; ^ closed(-) 
Output: the new status of x 

yo := gotChild(a;,cs) 

let A , • • • , rj be all the sets in the set alt 
for i i — 1 to j do 

Hi := getChild(a;, A) 

if j/< = _L then (* child does not exist *) 

yi := create-new-node(r'a; U -Tj , ann^; , pst^^ , ppr^ , -L, iinexp) 
|_ insert j/j, and an edge from x to labelled with Fi, into G 

let Uj+i, ■ ■ ■ ,yk be all the remaining children of x 

alt := Ui'=i alty . 

if Vi € {0, . . . , k}. stSy^ = closed(-) then return closed(alt) 
else (* at least one child is not closed *) 

prs := prs^ 

foreach tp & F^n Ev do 

if' := defer(a;, <p) 

if if' G Ev then 

for i < — to fc do Ai :— det-prs-child(a;, yi, ip') 
yl := if 3i e {0, . . . , k}. Ai = ± then _L else U*'=o 
prs := prs[<p h-^ A] 

prs' := f ilter(x, prs) 
return open(prs', alt) 



For each child yi of x wc determine the potential rescuers of tp' by invoking 
det-prs-child. If the set of potential rescuers corresponding to some yi is _L 
then ip' can currently be fulfilled via yt and so j>TS^{(p) is sot to _L. Otherwise (p' 
cannot currently be fulfilled in G, but each child returned a set of potential res- 
cuers, and the set of potential rescuers for (f is their union. Finally, wc deal with 
potential rescuers in prs of the form (x, x) for some x G Ev by calling filter. 
Procedure det-prs-child(x, y, ip) determines whether an eventuality tp & F^, 
which is not passed as an argument, can be fulfilled via y such that ^ is part 
of the corresponding fulfilling path; or else which potential rescuers "0 can reach 
via y and ip. If y is closed, it cannot help to fulfil if) as indicated by the empty 
set. If X is undefined or did not become defined before x then (y, ip) itself is a 
potential rescuer of x. Else, if ip can be fulfilled, i.e. ^TSy{ip) = _L, then -0 can be 
fulfilled too, so we return _L. Otherwise we invoke the procedure recursively on 
all potential rescuers in \)vSy{ip). If at least one of these invocations returns _L 
then -0 can be fulfilled via y and ip and the corresponding rescuer in prSj^((p). 
If all invocations return a set of potential rescuers, the set of potential rescuers 
for tj) is their union. The recursion is well-defined because if {zi,ipi) € \)vSy{ip) 
then either Zi is still undefined or Zi became defined later than y. 

Each invocation of det-prs-child can be uniquely assigned to the invo- 
cation of det-sts-/3, det-sts-state, or det-sts-spl which (possibly indi- 
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rectly) invoked it. To meet our complexity bound, we require that under the 
same invocation of det-sts-/3, det-sts-state, or det-sts-spl, the procedure 
det-prs-child is only executed at most once for each argument triple. Instead 
of executing it a second time with the same arguments, it uses the cached re- 
sult of the first invocation. Since det-prs-child does not modify the graph, 
the second invocation would return the same result as the first one. An easy 
implementation of the cache is to store the result of det-prs-child(x, y, v?) 
in the node y together with ip and a unique id number for each invocation of 
det-sts-/3, det-sts-state, or det-sts-spl. 

Procedure f ilter(a;, prs) deals with the potential rescuers for each eventuality 
of a node x which are of the form {x, 4') for some ip G Ev. The second argument of 
filter is a provisional prs for x. If an eventuality cp ^ is currently fulfillable 
in G there is nothing to be done, so let {x,'ip) G prs(((9). li tp = (p then {x,ip) 
cannot be a potential rescuer for (p in x and should not appear in prs(</j). But 
what about potential rescuers of the form {Xjtp) with tp ^ ipl Since we want 
the nodes in the potential rescuers to become defined later than x, we cannot 
keep (xjip) in pTs(p); but we cannot just ignore the pair either. 

Intuitively {x, tp) G prs(<^) means that tp € can "reach" tp £ F^ hy follow- 
ing a loop in G which starts at x and returns to x itself. Thus if tp can be fulfilled 
in G, so can ip; and all potential rescuers of tp are also potential rescuers of p. The 
function reach(prs, x, (p) computes all eventualities in x which are "reachable" 
from if in the sense above, where transitivity is taken into account. That is, it 
detects all self-loops from x to itself which are relevant for fulfilling (p. We add ip 
as it is not in reach(prs, x, (p). If any of these eventualities is fulfilled in G then (p 
can be fulfilled and is consequently undefined in the resulting prs'. Otherwise we 
take all their potential rescuers whose nodes are not x. 

Theorem 6 (Soundness, Completeness and Complexity). Let (p G Fml 

be a form,ula in negation normal form of size n. The procedure is-sat{(p) ter- 
minates, runs in exptime in n, and (p is satisfiable iff is-sat{(p) returns true. 

5 Implementation, Optimisations, and Strategy 

It should be fairly straightforward to implement our algorithm. It remains to 
show an efficient way to find nodes which are not up-to-date. It is not too hard 
to see that the status of a node x can become outdated only if its children change 
their status or det-prs-child(x, y, •) was invoked when a;'s previous status was 
determined and y now changes its status. If we keep track of nodes of the second 
kind by inserting additional "update" -edges as described in [7], we can use a 
queue for all nodes that might need updating. When the status of a node is 
modified, we queue all parents and all nodes linked by "update" -edges. 

We have omitted several refinements from our description for clarity. The 
most important is that if a state s is closed, all non-states which have ,s as a 
parent state are ignorable since their status cannot influence any other node t 
unless t also has s as a parent state. Moreover, if every special node parent a; of a 
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state s' is incompatible or itself has a closed parent state, then s' and the nodes 
having s' as parent state are ignorable. This applies transitively, but if s' gets a 
new parent whose parent state is not closed then s' becomes "active" again. 

Another issue is which rule to choose if several are applicable. As we have 
seen, it is advantageous to close nodes as early as possible. Apart from immediate 
contradictions, we have Rule 4 which closes a node because it contains an un- 
fulfillable eventuality. If we can apply Rule 4 early while the graph is still small, 
we might prevent big parts of the graph being built needlessly later. Trying to 
apply Rule 4 has several consequences on the strategy of how to apply rules. 

First, it is important to keep all nodes up-to-date since Rule 4 is not appli- 
cable otherwise. Second, it is preferable that a node x cannot reach open nodes 
which became defined (or will be defined) after x did. Hence, we should try to 
use Rule 2 on a node only if all children are already defined. 

6 An Example 

To demonstrate how the algorithm works, we invoke it on the satisfiable toy 
formula {a)(f) where (p := {a*)[a~]p. To save space, Fig. 1 only shows the core 
subgraph of the tableau. Remember that the order of rule applications is not 
fixed but the example will follow some of the guidelines given in Section 5. 

The nodes in Fig. 1 are numbered in order of creation. The annotation ann 
is given using in F. For example, in node (3), we have — {(j), [a~]p }, 
and ann3 maps the eventuality 4> to [a~]p and is undefined elsewhere. The bottom 
line of a node contains the parent state and the parent program on the left, and 
the time stamp on the right. We do not show the status of a node since; it changes 
during the algorithm, but explain it in the text. If we write stSx = open(yl, •) 
where A C V x Ev, we mean that prs^ maps all eventualities in F^, with the 
exception of non-(lp)-formulae if a; is a state, to A and is undefined elsewhere. 

We only consider the core subgraph of 4> and start by expanding node (1) 
which creates (2). Then we expand (2) and create (3) and (4) which are both spe- 
cial nodes. Next we expand (3) and create the state (5). Expanding (5) creates no 
new nodes since F5 contains no (Ip)-formula. Now we define (5) and then (3) . This 
results in setting stS5 := open(prs-'- , 0) according to det-sts-state, and stss := 
closed({p}) since (3) is not compatible with its parent state (1). Expanding (4) 
inserts the edge from (4) to (1) and defining (4) sets stS4 := open({(l, (a)0)}, 0) 
according to det-sts-spl. Note that (6) does not exist yet. Next we define (2) 
and then (1) which results in setting stS2 :— open({(l, (a)^)}, {p}) according to 
det-sts-/3 and stsi := open(0, {p}) thanks to filter. 

Note that (o)^ e A has an empty set of potential rescuers. In PDL, we could 
thus close (1), but converse programs complicate matters for CPDL as reflected 
by the fact that Rule 4 is not applicable for (1) because (4) is not up-to-date. 
Updating (4) creates (6) and sets sts4 := open({(l, (a)<^), (6, (a)^)}, 0). Updat- 
ing (2) and then (1) sets stS2 := open({(l, (a}(/)), (6, (a)^)}, {p}) and stsi := 
open({(6, (a)(/>)}, {p}). Now all nodes are up-to-date, but Rule 4 is not applica- 
ble for (1) because the set of potential rescuers for ^ is no longer empty. 
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Procedure det-prs-childCx, y, ^p) for passing a prs-entry of a child to a 
parent 

Input: two nodes x,y €V and a formula if £ Fy CiEy 
Output: ± or a set of node- formula pairs 

Remark: if det-prs-child(x-, y, ip) has been invoked before with exactly the 
same arguments and under the same invocation of det-sts-/3, 
det-sts-state or det-sts-spl, the procedure is not executed a 
second time but returns the cached result of the first invocation. We 
do not model this behaviour explicitly in the pseudocode. 

if stSj, = closed(-) then return 

else if stSy — unexp or stSy = undef or not y \Z x then return {{y, tp)} 
else (* stSy = open(-, ■) &i y \Z x *) 
if TpTSy{ip) = ± then return _L 
else (* piSy{ip) is defined *) 

let {zi,(fii),..., {zk, fk) be all of the pairs in prSy{(p) 
for i < — 1 to fc do Ai :— det-prs-child(a;, Zi, ifii) 
if 3j € {1, . . . , k}. Aj = _L then return _L else return lJi=i 
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Fig. 1. An example: The graph G just before setting the status of node (2) 
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Procedure filter (Xjprs) for handling self-loops in prs chains in G 

Input: a node x and a function prs : Ev {^{V x Ev))"*" 
Output: prs where self- loops have been handled 

prs' := prs^ 

foreach £ F^Ci Ev such that prs(99) 7^ _L do 
A -.— {if} U rcach(prs, x, tp) 
if not 3x £ Pi's(x) = -L then 

UxeA{(«.V') eprs(x) I 2#a;} 
prs' := prs'[(p yl] 

return prs' 



Next we expand (6), which creates (7). then (7), which creates (8), then (8), 
which creates (9) and (10), and finally (9), which creates no new nodes. Node (9) 
is similar to (3), but unlike (3), it is compatible with its parent state (7) which 
results in stsg :— open(_L, 0). Using our strategy from the last section, we would 
now expand (10) so that (8) can become defined after both its children became 
defined. Since (9) fulfils all its eventualities, we choose to define (8) instead 
and set stss := open(_L,0). Next we define (7) and then (6) which sets stsy := 
open(_L, 0) and stse := open(_L, 0). The status of (4) is not affected since (6) was 
defined after (4), giving "(6) (4)" in det-prs-child(4, 6, {a)(t>). 

We expand (10) which inserts the edge from (10) to (1). Then we define (10) 
which creates (11) and sets stsio := open(_L,0). Note that the invocation of 
det-prs-child(10, 1, (a)<^) in the invocation det-sts-spl(lO) leads to the 
recursive invocation det-prs-child(10, 6, {a)(j)). Expanding and defining (11) 
yields stsu := open(_L,0). Finally, no rule is applicable in the shown subgraph. 
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A Soundness, Completeness, and Complexity 

We start by some more definitions. 

Definition 7. We define the size \ ■ \ on formulae and programs in negation 

normal form, inductively as follows: 

- \p\ :=hp| := H := ja"! := 1 

- |</J A VI := |</? V VI := 1 + |<p| + 

- ■■= IbM ■■= + 

- \r,S\ := \jUS\ :=l + \j\ + \5\ 

- \^7\ :=1 + |<^| 

- |7* I := 1 + |7| . 

Definition 8. Let ip e Fml he a formula in negation normal form. The clo- 
sure cl{if ) is the least set of formulae such that: 

- (f e c\{(t>) 

- {l)ijj e c\(ip) or [l]yj e cl{ip) ^ ip e cl{ip) 

- a G c\{if ) ^ Q!i G cl((p) & Q!2 G c\{(p) 

- c\{ip) ^ /3i G c\{ip) & /32 G cl{^) . 

It is easy to see that all formula in cl((^) are also in negation normal form. 

Definition 9. A transition frame is a pair (W-,R) where W is a non-empty set 
of worlds and R : APrg -^WxW is a function mapping each atomic program a G 
APrg to a binary relation Ra over W. We extend R to LPrg by defining Ra- := 
{{w.v) I {v,w) G Ra}- A model (PF, i?, V) is a transition frame {W,R) and a 
valuation function V : AFml — )• 2^^ mapping each propositional variable p G 
AFml to a set V{p) of worlds where p is "true". 

Definition 10. A formula (p G Fml is satisfiable iff there exists a model M = 
(W, i?, V) and a world w s.t. M,w Ih ip, and valid iff is unsatisfiable. 

Proposition 11. In the notation of Table 1, the formulae of the form a o 
ai A a2 and ^ ■f->- V /32 are valid. 

Definition 12. For a given ip G Fml, the (infinite) set pre(<^) is defined as: 

pre((/j) := {V G Fml | 3k G INq. 37i, . . . , 7fc G Prg. V = (71) • • • {iklf} ■ 
The set of all eventualities is defined as: 

Ev := pi'e(</3) where A := {(7*)^ | 7 G Prg & V G Fml} . 

For all 9?, V G Fml, the binary relation on formulae is defined as: cp ip iff 
(exactly) one of the following conditions is true: 

- 3x G Fml. 37, 5 G Prg. cp = (7; 6)x ^ ip = {l){S)x 
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- 3x G Fml. 37, 6 G Prg. ^ = (7 U (5}x & (V' = {l)x or ip = {5)x) 

- 3x e Fml. 37 e Prg. (p = {-f*)x k (i) = X or = (7)(7*)x) 

- 3x, ^ii G Fml. (fi = {<j)l)x kip = x ■ 

Intuitively, using Table 1, the relates a (}-formulae a (respectively 
to ai (respectively (3i and P2) while pre(</5) captures that can be "reduced" 

to (7)(7*)<^, which can be reduced to (71) . . . (7fc)(7*)</?. Note that G pre(<^). 

Definition 13. A structure {W, R, L) [for (p e Fml] is a transition frame {W, R) 
and a labelling function L : W ^ 2^™' which maps each world w £ W to a 
set L{w) of formulae [and has <p G L{v) for some world v &W]. 

Definition 14. Let H = {W, R, L) be a structure, w G W, and Lp, i/j G Fml. 
A fulfilling chain /or {H,w,(p,'ijj) is a finite sequence {wq, ipo), {'Wn,'ipn) of 
world-formula pairs with n > such that: 

- Wo = w, ipo = f, V'n = 4>, o-nd tpi G L{wi) for allO <i <n 

- for all < i < n: if ^pi = {l)x for some I G LPrg and some x G Fml 
then tpi+i = X ond Wj Ri, else ipi "04+1 '"^'^ — Wj+i. 

Definition 15. A Hintikka structure H = {W, R, L) [for p> G Fml] is a structure 
[for ip] which satisfies the following conditions for every w G W , where a and /3 
are formulae as defined in Table 1: 

HI : -ip G L{w) p L{w) 

H2 : a G L{w) ^ ai G L{w) k a2 e L{w) 
H3 : /3 G lIw) ^ ^1 G L{w) or ^2 G L{w) 
H4 : {Vjip G L{w) 3v &W.wRbV k. ip & L{v) 

H5 : [l]p G L{w) ^ Mv €W.w RbV (p e L{v) 

H6 : {'y*)p G L{w) =^ there exists a fulfilling chain for {H, w, (7*)(p, p) . 

H3 "locally unwinds" the fix-point semantics of (7*)(p, but does not guarantee 
a least fix-point which requires (p be true eventually. H6 "globally" ensures all 
(*)-formulae are fulfilled. H2 captures the greatest fix-point semantics of [7*]<^. 

Proposition 16. A formula ip G Fml in negation normal form is satisfiable iff 
there exists a Hintikka structure for ip. 

Proposition 16 implies that wc can check whether a formula p in negation 
normal form is satisfiable by systematically trying to build a Hintikka structure 
for p. Our tableau rules are designed specifically for this purpose. 

Definition 17. Let G ~ (V, E) be a directed graph and x,y £ V two of its 
nodes. Then y is a child of x iff [x, y) E E. A path w in G is a finite or infinite 
sequence xq, xi, X2, ■ ■ ■ of nodes in G such that Xi^i is a child of Xi for all Xi 
except the last node if tt is finite. An .T-path tt is a path in G that has xq ~ x. 

We now list some facts about the algorithm which are needed in the subse- 
quent proofs. They can be verified by careful inspection of the procedures. 
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Proposition 18. Let x,y,z £V he nodes and (p,ip € Ev. 

(i) If X is open and prs,,.((^) is defined then for each, {y,ip) € pTS^{(p), we 
have X [Z y and ip dz Fy. Moreover, if y is a state then ijj is a (Ip) -formula. 

(ii) Lei prs' := filter (a;, prs). T/ien prs((p) = prs('0) prs'(95) = prs'(V'). 
(Hi) The numher of consecutive non- states in a path in G is hounded. 

(iv) if X and y are states with = Fy then x = y; 

(v) If X is a state then its parents are exactly the special nodes y with Fy = F^. 

(vi) If X is a special node, it has the state y with Fy — F^ as child. 

(vii) If y is a child of x and neither of them are states then pst^. = pst^^ and ppr^. = 
ppiy and Fx '^Fy. 

(via) We have altrt = and ^ altx- 

Let (j) £ Fml be a formula in negation normal form. Furthermore let G = 
{V,E) be the final graph, with root node rt, which was created by invoking 
is-sat(0). Note that i^t — {{d)4'} and that all nodes in G are defined once our 
algorithm terminates. Hence "not closed" then means "open" and vice versa, 
and C is a total strict order. Of course, we have to show first that our algorithm 
terminates, but this is an immediate consequence from Theorem 19. 

Theorem 19. The algorithm runs in exptime in n := 

Proof. It is easy to see that every node in G can contain only formulae of the 
closure c\{(j)). Furthermore it is known that |cl(^)| < n and that \ < r? for 
all G cl((/)). Hence there are at most 2" different sets of formulae that can be 
assigned to the nodes of G. As a state is uniquely identified by its assigned set 
of formulae due to Prop. 18(iv), the total number of states in G is also in 2^^"^. 

If we fix one state a; € F, it is not too hard to see that the nodes which 
are not states and which have x as their parent state form several disjoint trees 
whose roots are exactly the children of x. Because of Prop. 18(vii), the depth of 
these trees is in (!?(n). The branching degree of a- and /3-nodes is constant, the 
branching degree of a special node, however, is in 2°("). Hence the size of each 
tree is in (^2'^("^)'^'""'' G 2'-^("^\ Since the number of children for each state is 
clearly in ©(n), the total number of non-states which have x as their parent state 
is in 0{n) ■ 2'^(" ) G 2^'" ^ As all non-states have a parent state, we conclude 
that the total number of nodes in G is in 2'^(") ■ 2'^("') G 2'^("'). 

Bearing that in mind, it is fairly obvious that Rule 1, 2, and 4 can only be 
applied an exponential number of times. Next we show that Rule 3 can only be 
applied an exponential number of times. We do this by showing that each node 
can change from open to open only an exponential number of times. 

Assume for the sake of notation that the status of a node x changes from 
open(alt, prs) to open(alt', prs'). In particular we have alt ^ alt' or prs ^ prs'. 

First we note that we have alt C alt' which basically follows from the fact that 
the set of alternative sets of a node is always the union of the sets of alternative 
sets of its children which are not states, even when the nodes are closed. The only 
exception are states where the set of alternative sets can become smaller, but 
only if the node becomes closed. However, all parents of states are special nodes. 
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see Prop. 18(iv), and special nodes do not inherit the set of alternative of its 
corresponding state, see det-sts-spl. As a consequent, alt^ can only change an 
exponential number of times since there are only exponential many alternative 
sets. 

Next we show that if there arc ip, tjj £ Ev and y V such that either prs((/?) = 
_L ^ prs'(</?) or (y, V') € prs(</?) but {y,il>) ^ prs'(i^) ^ _L, then some node z &V 
must have been closed between the time when prs was calculated and the time 
when prs' was calculated. Hence, there can only be an exponential number of 
those changes of prs^. Changes of prs^, which do not fall into the described cat- 
egory "fill up" the sets of potential rescuers. Therefore, there can only be an 
exponential number of such changes of prs^, in a row before one of the described 
changes must happen. It follows that prs^, can only change an exponential num- 
ber of times. 

To show that some node was closed between the times when prs^ and prs^ 
were calculated, we use induction on c That is, for each node y with y \z x,we 
can assume the induction hypothesis. When prs^ was calculated via det-sts-/3, 
det-sts-state, or det-sts-spl, it can be shown - basically because of the 
"monotonicity" of filter - that there must exist ifii,ip' € Ev and yi,y' € V 
such that one of the following statements holds. 

— det-prs-child(a;, j/i, </5j) = _L at the time of calculating prs^,, but we have 
det-prs-child(a;,yi,97i) 7^ _L at the time of calculating prs^; or 

— iy',ip') S det-prs-child(a;, j/i, (pi) at the time of calculating prs^., but we 
have (j/', ip') ^ det-prs-child(x, y^, ipi) 7^ ± at the time of calculating prs^. 

We only cover the second case, the first one is similar. Using the definition of 
det-prs-child, the second case implies one of the following three cases: 

Case 1 the node yi was open at the time of calculating prs^, but is closed at 

the time of calculating prs^; 
Case 2 yi \Z X and there exists a pair {zj,(pj) such that {zj,(pj) G j>TSy.{ipi) 

at the time of calculating prs^, but {zj,(pj) ^ prs^. 7^ _L at the time of 

calculating prs^ ; 

Case 3 yi n X and there exists a pair {zj,ipj) such that we have {y',ip') G 
det-prs-child(a;, Zj, i^j) at the time of calculating prs^, but {y',ip') ^ 
det-prs-child(a;, zj, (fj) 7^ _L at the time of calculating prs^. 

In Case 1 we have found the node we are looking for, namely yi. In Case 2 
we can apply the induction hypothesis on yi which gives us the desired node. 
In Case 2 we can use an inductive argument which is well-defined because of 
Prop. 18(i). We conclude that each rule of the algorithm can only be applied an 
exponential number of times. 

Next we show that applying a rule can be done in exptime. To do this it is 
obviously enough to show that det-sts-/3, det-sts-state, and det-sts-spl 
- and hence det- status - run in EXPTIME. It is not too hard to sec that the 
runtime for filter is in exptime. Hence we are left to show that the direct in- 
vocations of det-prs-child in det-sts-/3, det-sts-state, or det-sts-spl 
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run in EXPTIME. We have already explained that under each invocation of 
det-sts-/3, det-sts-state, and det-sts-spl, the procedure det-prs-child 
is invoked at most once for each pair {y,(fi) & F x Ev as second and third 
argument. As there exists only an exponential number of such pairs and the 
runtime for det-prs-child is clearly in exptime when ignoring recursive invo- 
cations, the direct invocations of det-prs-child in det-sts-/3, det-sts-state, 
or det-sts-spl run in EXPTIME. 

Since the number of nodes is exponential and det-status runs in EXPTIME, 
checking whether one of the rules is applicable can clearly be done in EXPTIME; 
even with the most naive way of simply trying the conditions for all nodes. We 
can therefore conclude that the algorithm runs in EXPTIME. □ 

Lemma 20. Let x €V be an open node. 

(i) If X is a state then all of its children are open. 

(a) If X is an a- or a ^-node or a special node then some child of x is open. 

Proof. Since Rule 3 is not applicable, the node x is up-to-date, 
(i): If some child of x were not open then it must be closed. But then x would also 
be closed by definition of det-sts-state. (ii): If all children of x were not open 
then all children must be closed. But then x would also be closed by definition 
of det-sts-/3 or det-sts-spl. □ 

Definition 21. Let x, y and (p,ip Cz Fnil. A graph chain for (x, ip, y, "0) is a 
finite sequence {yo, V'o); • • • ; {yn, V'n) of node-formula pairs with n >0 such that: 

— yo = X, ipQ = ip, yn = y, ')pn = ip, yi is open, and ipi G T^. for allO <i <n 

— yi = j/i+i or yi+i is a child of yi for all < i < n 

— for all < i < n, (exactly) one of the following conditions is true: 

• Ipi = "tpi-^-i and (yi = yi+i or yi is not a state); 

• if Ipi = {l)x for some I € LPrg and some x G Fml then f/'i+i = X ^''^d yi 
is a state and j/j+i is the successor of (Z)x, else ipi ~^ "tpi+i and yi is not 
a state. 

Lemma 22. For every open node x <E V and every eventuality (p €: D Ev, 
where (p is a (Ip) -formula if x is a state, we have: 

(i) IfpTs^{(f) = _L then there exists a node z €V, a formula tp e Fml \ Ev and 
a graph chain a for {x, ip, z, ip). 

(ii) //prs^((p) 7^ _L, we have for all {z,tp) G prSj.(<^) that there exists a graph 
chain a for {x, (fi,z,ip). 

Proof. We use induction on C That is, for a node x E V wc can assume that all 
nodes y €V with y \Z x fulfil the lemma already. Recall that y C x iff y becomes 
defined before x does. 

Let X E V he open and (p E Fx he an eventuality. We distinguish whether x 
is an a//3-node or a state or a special node. 

Case 1 (x is a/p-node): We distinguish whether pTs^{(p) 7^ _L or prs^(<^) = _L. 
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Case 1.1 (])rs^{(p) ^ ±j; Let [z.iIj) e prs^((/?). We distinguish whether or not 
there exists an open child y := tji of x such that {z, ip) is an element of the 
corresponding A^p^i in det-sts-/3(.x). 

Case 1.1.1: (y exists) In this case (z, ip) must be in det-prs-child(a;, y, (p). Our 
final case distinction is whether or not y \Z x. 

Case 1.1.1.1: (not y C xj In this case, we have y = z and 93 = ■)/; by construction 
in det-prs-child. Hence {x, ip), {y, ip) is a graph chain for {x, ip, z, tp). 
Case 1.1.1.2: (y C x) In this case, we have prSy((/7) 7^ ± and there must exist a 
pair {y' ,ip') G ^iSy{ip) such that {z,ijj) is contained in det-prs-child(x, y', (^'). 
Using the induction hypothesis on y, we obtain a graph chain cti for (y, ip, y' , ip'). 
In particular y' is open and we have y \Z y' hy Prop. 18(i). We can now induc- 
tively repeat the same arguments for y' and (p' that we have used for y and ip. 
Since y {Z y', we must eventually end up in Case 1.1.1.1. Hence the induction is 
well-defined and yields a graph chain <t2 for {y' ,ip' , Zjip). Thus (x, (p), ai,a2 is a 
graph chain for (a;, ip, z, ijj). 

Case 1.1.2: (y does not exist) In this case we know that (z,^') ^ pi's(</5) in 
det-sts-/3(x) but must have been inserted in filter (.r, prs), which is invoked 
at the end of det-sts-/3(a;). Hence there exists a x G reach (prs, x, (/?) such 
that {z, tp) G prs(x)- According to the definition of reach there exist ipo,. . . ,ipk € 
Ev such that X = <p>k and {x.ipo) G prs(i^) and (x, i^^+i) G prs(v3i) for all < 
i < k. Since (x, ipg) G prs((/3) there exists an open child such that (x, Pq) is an 
element of the corresponding yl^^j in det-sts-/3(x). Hence we can obtain a graph 
chain <t_i for {x,(p,x,ipo) exactly as in Case 1.1.1. Using the same arguments, 
we can also get graph chains ai for (x, ipi, x, Pi+i) for all < « < fc, and a graph 
chain ak for (x, x, z, ip). Because we have x = fk, their concatenation cto, . . . , Ufc 
is a graph chain for (x, ip, z, ip). 

Case 1.2 (prs^(v3) = -Lj.' We distinguish whether or not there exists an open 
child y := of x such that the corresponding set A^^i in det-sts-/3(x) is 
undefined. 

Case 1.2.1: (y exists) In this case det-prs-child(x, y, (p) must return undefined. 
Hence we must have y C x by construction in det-prs-child. Our final case 
distinction is whether or not prSj^(i^) = _L. 

Case 1.2.1.1: (prs^ ((^) = In this case then we can use the induction hypothesis 
on y to get a graph chain a for (y, (/3, z, ip) for some z & V and some ip G Fml\Ev. 
Thus (x, a is a graph chain for (x, ip, z, ip). 

Case 1.2.1.2: fprSj^((/?) ^ _Lj In this case there must exist a {y',ip') G prSj^(<^) 
such that det-prs-child(x, y', p') returns undefined. Using the second part of 
the induction hypothesis on y, we obtain a graph chain cti for {y,ip,y',tp'). In 
particular y' is open and we have y C y' by Prop. 18(i). We can now inductively 
repeat the same arguments for y' and p' that we have used for y and p. Since y IZ 
y', we must eventually end up in Case 1.1.2.1. Hence the induction is well-defined 
and yields a graph chain 0^2 for {y' ,p' , z,ip) for some z G V and some ip G 
Fml \ Ev. Thus (x, 99), ci, (T2 is a graph chain for (x, p, z, ip). 
Case 1.2.2: (y does not exist) In this case we know that prs(iy9) in det-sts-/3(x) 
is defined. Therefore prSj,(<^) became undefined in f ilter(x, prs), which is in- 
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voked at the end of det-sts-/3(x). Hence there exists a x G reach(prs, x, (p) such 
that prs(x) = _L. According to the definition of reach there exist ipQ, . . . , ipk S Ev 
such that x — fk and (x, (po) e prs(<^) and {x, ipi+i) G prs(<pj) for all < i < k. 
Since {x,Lpo) e pTs{(p), there exists an open child y := such that {x,(po) is 
an element of the corresponding A^^i in det-sts-/3(a;, y-). Hence we can obtain 
a graph chain cr_i for (x, 99, .x, (/^o) exactly as in Case 1.1.1. Using the same 
arguments, we can also get graph chains (Tj for (x, i^j, x, lyjj+i) for all < z < 
k. Since prs(x) = -L, there exists an opcin child y := y'j such that the cor- 
responding A^j in det-sts-/3(x) is undefined. Thus we can obtain a graph 
chain Ufe for {x,x,z,tp) for some z G V and some tp € Fml \ Ev exactly as in 
Case 1.2.1. Because we have x = Vk-, the concatenation ao, . . . ,crfc is a graph 
chain for (x, z, tp). 

Case 2 (x is a state): By assumption is of the form {l)x for some I € LPrg 
and some x € Ev. By distinguishing whether or not prs^((l)x) = -L, we obtain 
the appropriate graph chain almost exactly as in Case 1. The main difference is 
that we have only one child of x to consider, namely the successor of {l)x- 
Case 3 (x is a special node): First we inductively build a sequence ctq as follows. 
We start with (Tq := (x, lyj). If ly? is a (Ip)-formula then we stop. Otherwise we 
extend (Jq with ip' := Bm\x{(p) which must be defined as x is a special node 
and anUj, is hence a full annotation. Remember that we have ip tp' . If (p' 
is not an eventuality nor a (Ip)-formula then we stop. Otherwise we extend ctq 
with ip" := ann2,(i^') and so on. The termination of this iteration is guaranteed 
by the fact that x is open and hence ann^; is non-cyclic. It is not hard to see 
that the final ctq is of the form (x, p), (x, p'), . . . , (x, x) where x = defer(x, </?). 
Hence we have prs^((/?) = ^ts^{x) by definition of det-sts-state and because 
of Prop. 18(ii). If x ^ Ev then we know prs2,(x) = prs2,(</j) = _L. Furthermore ctq 
is a graph chain for (.x, p, x, x) and we are done. Otherwise x is of the form (Z)x' 
for some I £ LPrg and some x' € Ev. 

By distinguishing whether or not prs^((Z)x') = -L, we obtain the appropriate 
graph chain ai for (x, {l}x',z,'4') exactly as in Case 1. Note in particular that 
we can use the induction hypothesis on the child of x which is a state since 
our eventuality is of the form {l)x'- We can then conclude that ao,ai is the 
appropriate graph chain for (x, p, z^-ip). □ 

Definition 23. For p> £ Ev, let ex{p>) e Fml be the largest subformula of p> 
such that ex((^) ^ Ev and p> G pre(ex(iy9)). 

It is easy to see that ex((^) is well-defined, in particular, that it is unique. 

Proposition 24. Let ipQ,...,ipn be a finite sequence of formulae with n > 
such that ipn ^ Ev and for every < i < n: if ipi = {l)x for some I e LPrg and 
some X S Fml then tpi+i = X; efee ~^ i'i+i ■ 

(i) eyL{tjjj) = Ipn for every < j < n: 

(ii) for every x G Fml such that ipn is a subformula of x and x is a subformula 
ofipo, there exists a < j < n such that x = ''Pj- 

Theorem 25. If root vt gV is open then cp is satisfiable. 
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Proof. We will show that there exists a Hintikka structure for cj). The theorem 
then follows with Prop. 16. 

Let Gp ( "p" for pruned) be the subgraph of G that consists of all open nodes 
of G which arc not states, and all open states for which there exists a full non- 
cyclic annotation. Note that open states which are children of open special nodes 
are contained in Gp since the annotation of the special child is trivially a full non- 
cyclic annotation for the state. The edges of Gp are exactly the edges of G which 
connect two open nodes. Then we use Gp to generate a structure H = (W, R, L) 
as described next. 

Let W be the set of all states of Gp. To define R we first define the auxiliary 
function R : LPrg W x W. For every I G LPrg and every s,t € W, let (s, t) G 
R'{b) iff Fg contains a formula {l)(p for some formula ip S Fml and there exists an 
s-path xo = s,xi, . . . ,Xk+i,Xk+2 = t in Gp such that xi is the successor of {l)(p, 
each a;^, 1 < i < fc, is an a- or a /3-node or a special node, and Xk+i is a special 
node. Thus state t is a "saturation" of xi. Then we set Ra := R'{a) U {(i, s) | 
{s,t) G R'{a~)} for every a G APrg. Finally, we set L{s) to be for all s eW. 

As rt is open, the only child y of rt is also open due to Lemma 20 (i). Moreover 
we have (j) € Fy because y is the successor of {d)(f> G F^t- Thus there exists an 
open state s in G, and thus in Gp, such that (j) G Fg = L{s) due to Lemma 20(ii) 
and Prop. 18(iii)(v)(vii). Hence H is a structure for (j). 

Next we show that H fulfils HI to H6 and is thus a Hintikka structure for (p. 
Let w G W, that is w is a state in Gp. In particular w is open. 
HI: The set L{w) = F^ cannot contain a contradiction as w is not closed. 
H2 and H3 follow from the fact that u> is a state and not an a- or a /3-node. 
H4 follows from the treatment of states in expeind. Lemma 20 (ii) as well as 
Prop. 18(ih)(v)(vh). 

H5: Let [l]ip G L{w) and w G such that {w,v) G Rh- We distinguish whether 
G R'ih) or G R'{h^). 

If (ui, v) G R'{b), we have by definition of R' that Fyj contains a formula {l)ijj 
for some G Fml and there exists a path xq = ui, xi , . . . , Xk+i , Xk+2 = v in Gp 
such that xi is the successor of each Xi,l < i < k, is an a- or a /3-node 
or a special node, and Xk+i is a special node. By construction we have ip G F^-^^, 
and by Prop. 18(v) and (vii) we have (p £ Fy = L{v). 

If {v,w) G R'{b^) then we have by definition of R' that the set Fy con- 
tains a formula {b^)'ip for some tp G Fml, and that there exists a path xq = 
v,xi, . . . ,Xk+i,Xk+2 = w in Gp such that Xi is the successor of {b'~')'ip, and 
each Xi, 1 < i < A:, is an a- or a /3-node or a special node, and Xk+i is a special 
node. By construction and Prop. 18(vii) we have pst^.^^^ = v and ppr^.^^^ = 6"^. 
Together with Prop. 18(vi) and the fact that (r"')"' = r and that Xk+i is not 
closed, we can therefore conclude ip Q F^ = L{v). 

H6: We use Lemma 22 as is shown next. Let (p G L{w) = Fy, be an eventuality. 
We first build a graph chain a for {w, ip, y, ip) for some y G V and some ip G 
Fml \ Ev and then convert cr into a fulfilling chain. 

By assumption there exists a full non-cyclic annotation ann for w. First we in- 
ductively build a sequence ctq as follows. We start with ctq := {w, (p).U(pisa. (Ip)- 
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formula then we stop. Otherwise we extend ctq with ip' := ann((p) which must be 
defined as ann is a full annotation. Remember that we have ip (p' . li ip' is not an 
eventuality nor a (Ip)-formula then we stop. Otherwise we extend ctq with ip" := 
ann(i^') and so on. The termination of this iteration is guaranteed by the fact 
that ann is non-cyclic. Let the final ctq be of the form {w, <p), (uj, ip'), . . . , {w, x)- 
If X ^ Ev then ao is already a graph chain for {w, (p, w, x)- and we set a := (Tq- 
Otherwise x is of the form {l)x' for some I G LPrg and some x' € Ev. In 
this case we build another graph chain ai for (w, Xi Vi ^) for some y ^ V and 
some V € Fml \ Ev by distinguishing whether or not prs^(x) = -L, and then 
set cr := (To, cTi- 

Case 1: If prs^(x) = _L then Lemma 22 provides us with a graph chain cri 
for {w, Xj V, tp) for some y €V and some tp £ Fml \ Ev. 

Case 2: If prs^(</5) ^ _L then it contains at least one pair (y, ■)/') such that w C 
y because of Prop. 18 (i) and the fact that Rule 4 is not applicable. Hence 
Lemma 22 gives us a graph chain for (w, x, V')- I^i particular y is open. As 
the C-relation is well-founded, we can inductively apply Lemma 22 on y and V 
and so on, and must eventually encounter Case 1. Joining all sequences in the 
obvious way gives us a graph chain u for {w,x,y,4') for some y £ V and 
some e Fml \ Ev. 

To convert cr into a fulfilling chain, we extend a as follows. Let tt = zq, . . . , Zk 
be a finite y-path in Gp such that t := Zk is the only state in tt and tp e 
for all < i < k. The existence of tt follows from Lemma 20 (ii) and 
Prop. 18(iii)(v)(vii). Note that tt = y iff y is a state. We extend a by the se- 
quence {zi,tjj), ■ ■ ■ ,{zk,i>)- Now (T is a graph chain for {w, (p, t, tjj)- 

Finally, we convert a into a fulfilling chain as follows. Let a be of the 
form {yo,ipo), ■ ■ ■ , {Vn, i'n)- Next we replace each yi,0 < i < n in a with the first 
state which appears on the path yi,. ■ ■ ,yn- Furthermore we contract all consecu- 
tive repetitions of pairs. Let the resulting a be of the form {wq, iP'q), ■ ■ ■ , {wm, V'm)- 

It is not too hard to check that cr is a fulfilling chain for {H, w, (p, xp). More- 
over, Prop. 24(i) tells us that V = ex((p). If = (7*)x for some 7 S Prg and 
some X S Fml then ex((^) is a subformula of x which is obviously a subformula 
of (p. According to Prop. 24(ii), there therefore exists a j E {0,...,m} such 
that X = V'j- Thus {wq, fpo), ■ ■ ■ , {wjjtpj) is a fulfilling chain for (if, w, (7*)Xj x)- 
Hence H6 holds which concludes the proof. □ 

We next define some concepts related to models and state some propositions 
which we will need in the remaining proofs. 

Definition 26. Let M = {W,R,V) he a model, w € W, and Lp,tp E Fml. A 
model chain for (M, w, ip, ip) is a finite sequence {wo, ipo), ■ ■ ■ , (w„, ipn) of world- 
formula pairs with n > such that: 

(i) Wo = w, Ipo = (p, Ipn = tp, and M, Wi Ih ipi for allO <i < n 

(ii) for all < i < n: if tpi ~ {l)x for some I G LPrg and some x € Fml 
then ipi+i = X o,nd Wi Rb ifj+i, else ijji ipi+i and Wi = Wi+i . 

Proposition 27. Let M = (VF, i?, V) he a model, w G W , and <p,tp & Fml such 
that ip e pre(V') and M, w Ih (p. Then there exists a model chain for (M, w, ip). 
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Definition 28. Let X and Y he sets and f,g:X^ Y-^ be functions. We say 
that g extends / iff\fx G X. f{x) 7^ ± => g{x) = f{x). 

Let Seq(X) be the set of non-empty, finite sequences of elements in X. For 
a sequence a = xq, . . . ,Xn in Seq(X), let \a\ := n + 1 be the length of a. Fur- 
thermore, for alio <i < \a\, we define ai := Xi and a>i := Xi, Xi+i, . . . , x^. 

Definition 29. Let M = (W, R, V) be a model, w e W, and F C Fml. We 

write M, w F iff M, w \h (p for all ip G F. Furthermore, let ann : Ev — > Fml"'" 
be an annotation for F and chn : Ev — > (Seq(M^ x Fml)) a function. We say 
that (M, w, chn) annotated-satisfies {F, ann) iff the following conditions hold: 

— M,w\\- F 

— clm(i^) is defined for all ip € F D Ev 

— for all ly? e Ev such that a := chn{(f) is defined, we have: 

• the sequence a is a model chain for {AI, w, ip, ex{(p)) 

• for alio < i < \a\, if at is of the form {w,tp) for some V' S Ev then _L 7^ 
chn(V') = cr>i 

• if a,nn{ip) ^ _L then ai = {w,a.nn{(p)). 

If there exists such a triple (M, w, chn) we call (_r, ann) annotated-satisfiable. 

Proposition 30. Let M = {W, R, V) be a model, w € W, (p € Fml, and F C 
Fml be a finite set, such that M,w \\- (p and M, w Ih F. 

(i) Let ann : Ev — >■ Fml""" be an annotation for F and chn : Ev — >■ (Seq(W^ x 

Fml))^ a function such that (Af, chn) annotated-satisfies (F, ann). If we 
have ip ^ Ev or ann(c^) = 1. then there exists an extension chn of chn such 
that {M,w, c\m ) annotated-satisfies {F {(^},ann). 

(ii) Let a be a model chain for {M,w,ip,ex{ip)) such that ai ^ aj for all < 
i,j < \(T\,i 7^ j. Then there exists a function chn' : Ev (Seq(M^ x Fml)) 
such that {M,w, chn ) annotated-satisfies {F U {ip},a,nn^) and chn'((/)) = a 
if ip & Ev. 

For a node x €V,we say that [M, w, chn) annotated-satisfies x iff (M, w, chn) 
annotatcd-satisfios . ann,,,). Similarly, we say that x is annotated-satisfiable 
iff {Fj;,a,nnx) is annotated-satisfiable. 

Definition 31. Let M = {W,R,V) be a model, w,v e W, and chn : Ev -> 

{Seq{W X Fml)) be a function. 

— Let X gV be a state. We say that (M, w) realises x iff M,w\\- Fx and M,w\)(^ 
(F^UF) for a// realty. 

— Let X be an a- or a jS-node or a special node. We say that {M, v, w, chn) 
realises x iff M,v Ih Fp^t^, M, ti F (i^pst^ U F) for all F e alt^, vRppr^ w 
and {M, w, chn) annotated-satisfies x. 

We call a node x £ V realisable iff there exists an appropriate tuple {M, w) 
or (M, V, w, chn) which realises x. 
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Lemma 32. Let M = {W, R, V) be a model, w,v e W, and chn : Ev ->■ 
(Seq(W X Fml)) he a function, 

(i) Let X G V be an a- or a f3-node such that x is up-to-date and {M,v,w,c\m) 
realises x. Then there exists a child y of x and an extension chn of chn such 
that {M,v,w, chn) realises y. 

(ii) Let x € V be a state such that {M,w) realises x. Moreover, let € 
and y €V be the successor of {l)tl) such that alty C alt^. Furthermore, let a 
be a model chain for {M,w, {l)'ip,e:ii{{l)ip)) such that (Ji ^ Uj for all < 
i-ij < I'^'l)* 7^ jt '^"'^ ^C't v' G W such that a\ = {v',tp). Then there exists a 
function chn' : Ev — > (Scq(H^ x Fml)) such that {M,w,v' , chn) realises y 
and chn'(i/') = (T>i if tp G Ev. 

(Hi) Let x & V be a special node such that x is up-to-date and {M,v,w, chn) 
realises x. Then there either exists a child y of x and an extension chn' 
of chn such that y is not a state and {M, v, w, chn) realises y, or (M, w) 
realises getChild(a;, cs) . 

Proof, (i): We distinguish whether or not the principal formula if € F^, which 
is decomposed in x, is an eventuality. 

If e Ev then a := chn{(p) is a model chain for {M,w,(p,ex{(p)). Since (p 
is not a (Ip)-formula, we therefore have ai = {w,(p') for some ip' € Fml such 
that (p (f' and M,w Ih (p'. Due to the definition of and expand, there 
exists a child y G V oi x such that Fy = F^^ {(p'} and ann^ = ann^[(^ i-)- ip']. 
Together with the fact that (M, w, chn) annotatcd-satisfies x, is is not too hard 
to see that {M, w, chn) also annotated-satisfies y. Since x is up-to-date and by 
definition of det-sts-^, we have alty C altx- Together with Prop. 18(vii) and 
the assumption that {M,v,w, chn) realises x, this implies that {M,v,w, chn) 
realises y. 

If P Ev, let 2/ be a child of ,t such that M, w \\- Fy. The existence of y follows 
from M, w Ih F^ and Prop. 11. Furthermore, let c^i, . . . , ipk{i < k < 2) he all for- 
mulae which were actually added to F^ to create Fy in expand. If pi{l < k < 2) 
is an eventuality, we have anny{ipi) = 1. because of ann^; = anuy and p>i ^ Fx- 
We can then conclude that (M, w, chn') annotatcd-satisfies y for some exten- 
sion chn' of chn by repeatedly applying Prop. 30(i). Since x is up-to-date and by 
definition of det-sts-/3, we have alty C altj;. Together with Prop. 18(vii) and 
the assumption that {M,v,w,chn) realises x, this implies that {M,v,w, chn!) 
realises y. 

(ii): It is easy to see that a>i is a model chain for i/; and that we have wRbv' 
and M,v' II- t/j. By construction in expand, we have anUj, = ann-*- and Fy = 
{■0} U F for some F C Fml such that [l]F C F^. Since (M, u>) realises x, we 
have M,w Ih [l]F and thus M,v' Ih F. We can thus apply Prop. 30(ii) on M, 
v', ijj, r, and cr>i and obtain a function chn' : Ev — >■ (Seq(W x Fml)) such 
that (M, v' , chn) annotated-satisfies {F[j{ip}, ann-'-), and hence y. By definition 
of det-sts-/3 and the assumptions that {M,w) realises x and altj, C alt^, this 
implies that {M,w,v' , chn) realises y and chn'(^) = o->i if ip £ Ev. 
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(iii): Assume that (M, w) does not realise y := getChild(x, cs). As (M, v, w, chn) 
realises x, we have M,w Ih F^. Furthermore, we have = Fy by construc- 
tion in expand. Hence there must exist a, F € alt^ such that M,w Ih {Fy U F). 
By construction in expand, we have Fy = F^. Moreover, by construction in 
det-sts-spl and since x is up-to-date, the node x has a child z which is 
not a state such that F^ = F^ U F, ann^ = ann^, pst^ = pst^, ppr^, = ppr^, 
and alt^ C alt^;. In particular, we have ann2(x) = ± for all eventualities in F. 
We can then conclude that (M, w, chn') annotatod-satisfics z for some exten- 
sion chn' of chn by repeatedly applying Prop. 30 (i). Together with the assump- 
tion that {M, V, w, chn) realises x, this implies that (M, w, chn') realises z. □ 

Definition 33. For a node x € V and an eventuality (p ^ Fy f] Ev, we define 
the property ^{x, if) as "x is open & prSj.((^) ^ _L & V(t/, ip) G prSj,((^). (stSy ^ 
closed(-) => ^{y,i>))". 

Note that although ^{x, ip) is recursive, it is well-defined because of Prop. 18(i). 

Lemma 34. In this lemma, let G be the graph at any time between two rule 
applications when Rule 3 is not applicable. Let x & V and G /^a, n Ev such 
that '^{x,ip) holds. Furthermore, let y be a child of x which is not closed. If x is 
a state or a special node, we require additionally that ip = {l)x for some I G LPrg 
and some x & Ev. Ifx is a state, we also require that y is the successor of (p. If x 
is a state we define ip := x, else we define ^/j := ip. In all cases we have *P(j/,'0)- 

Proof. We assume that ^{y, ip) does not hold and derive a contradiction. Because 
of Prop. 18(i), this means that there exists a finite sequence {yo, ipo), • • • , {Vn, V'n) 
of node-eventuality pairs such that: 

— yo = y, ipo = V': and ?/„ is not closed; 

— yi is open and (j/j+i, 1) G prSj^,(^i) ^ _L for all < i < n; 

— either ?/„ is not open or prSj^^ {tpn) = -L- 

Note that n = is possible and that ^{yi,tpi) does not hold for all < i < n. 

Let m G 0, . . . , n be the smallest index such that not y^ IZ x; or m := n 
i{ yi \Z X for all < z < n. Then the sequence (yo) V'o)) • • • ) {ym,4'm) has the 
following properties, most of them are inherited from above: 

— yo = y, V'o = V') and ym is not closed; 

— yi is open and (y^+i, V'i+i) G prs^. (V'i) 7^ -L for all < i < n; 

— either y„ is not open or prs^,^ (V'n) = ^ or not j/„i C x. 

The following arguments rely on the fact that all nodes are up-to-date and 
on the definitions of det-prs-child and - depending on whether x is an a//3- 
node, a state, or a special node - det-sts-/3 or det-sts-state or det-sts-spl, 
respectively. 

If prSj^^(V'm) = -L, it is not too hard to see that det-prs-child(x, </?) = _L 
and hence j>TS^{p) = _L which contradicts the assumption that ^{x, (p) holds. 

If y„ is not open or not ym C x, it is not too hard to see that we have 
{Vrm'^m) € det-prs-child(a;, (/j). Together with the definition of filter, this 
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implies {ym,ipm) G WS^i^p) U {(x,x) \ X & Ci Ev}. If {ym,ipm) € prs^((/?) U 
{(x, v?)} then ^{ym,i^m) follows from (^s), but this contradicts the fact 
that *P(ym,-0m) does not hold. If {y„i,ipm) = {x,x) for some x € n Ev 
with X 7^ 95, we have ± 7^ prs3,(x) C prs^((/5) by construction in filter and be- 
cause of the transitivity in the function reach. Hence ^{x, (p) implies ^{x, x) = 
^(yw) i'm) which again is a contradiction. □ 

Lemma 35. If a node in G is closed then it is not realisable. 

Proof. We proceed by induction on the order in which the nodes arc closed. 
That is, when dealing with a node which has just become closed, we can assume 
that all other nodes in G which are already closed are not realisable. We must 
consider all cases in the algorithm where a node can be closed. 

If a node is closed because it contains an immediate contradiction, it cannot 
be realised by definition. If a node is closed because it contains an "at a world" 
cycle, it cannot be a state by construction. Furthermore, it is easy to see that 
nodes containing an "at a world" cycle cannot be annotated-satisfiable. 

If an a- or a /3-node or a special node x is closed because all its children 
are closed then x is not realisable because of the induction hypothesis on the 
children and Lemma 32 (i) and (iii). 

If a state x € V is closed because one of its children is closed, let {l)(p be 
the (Ip)-formula in x such that its successor y is already closed and altj; = 
altj^. The claim then follows from the induction hypothesis on y, Prop. 27, and 
Lemma 32 (ii). Note that a model chain can always be shortened such that it 
does not contain a pair twice. 

The last and most interesting case is when a node Xi £ V is closed in Rule 4 
because there exists an eventuality <pi e F^^ fl Ev such that prSj,.(<pi) = 0. For 
the rest of the proof, we consider G at that moment right before closing Xi. Next 
we assume that Xi is realisable and derive a contradiction. 

For a contradiction, we distinguish whether or not Xi is a state. If Xi is a 
state, let M = (W,i?, V) be a model and Wi G W such that (M, Wj) realises .Xj. 
Furthermore, let cr be a model chain for {M,Wi,(pi,ex{(pi)) which exists due 
to Prop. 27. If Xi is an a- or a /3-node or a special node, let M = {W,R,V) 
be a model, Wi,Vi G W, and chn; : Ev — > (Seq(VK x Fml)) a fimction such 
that (M, tii, Wi, chui) reahscs Xi. Furthermore, let a := chni((^i), that is ct is a 
model chain for (M, Wi, 951, cx((/3i)). In both cases, it is not too hard to see that 
we can assmne without loss of generality that ai ^ Uj for all < i,j < |cr|, « 7^ j. 

We will inductively define an arbitrarily long sequence w G Seq(y x INq), 
initially starting with w := {xi, 0), such that the following invariant is maintained 
for all < fc < 

Invariant: Let {x,i) := S x INq. 

— if A; > and {y,j) := uik-i then: x is a child of y and i > j, and if 2; is a 
state then i > j; 

— we have < i < \<t\, let {w, (p) := ai G W x Fml; 

— ip € Fy r\E\ and ^{x, ip) holds; 

— if a; is a state then (M, w) realises x and is a (Ip)-formula; 
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— if a; is an a- or a ^-node or a special node, there exists a w G and 
a function chn : Ev — > (Seq(M^ x Fml)) such that chn((^) = a>i 
and (M, v, w, chn) reaUses x. 

It is not difficult to see that the initial sequence w = {xi, 0) fulfils the invariant. 
Note in particular that if Xi is a state then y>i is a (Ip)-formula by construction 
in det-sts-state. 

Before we describe the construction of w, we show how we can use u to derive 

a contradiction. Because of Prop. 18(iii), we can make uj long enough so that 
it contains \a\ + 1 (not necessarily different) states. Hence oj must contain an 
element {x,j) with j > \a\ due to the invariant; but this is not possible since 
the invariant also guarantees that the natural numbers in u! are strictly smaller 
than \a\. Next we will show how to construct w. 

Let {x,i) be the last pair in co as constructed so far and (w, y) := cTj. We 
distinguish whether x is an a//?- node or a state or a special node. 

Case 1 (x is a/fi-node): Let v and chn : Ev — >• (Seq(H^ x Fml))""" be a func- 
tion such that chn((/j) = a>i and (M, w,w,chn) realises x. Using Lemma 32(i), 
we obtain a child y of x and an extension chn' of chn such that (M, v^w, chn') 
realises y. In particular, we have chn'((/?) = a>i. Furthermore y cannot be closed 
because of the induction hypothesis. We extend w by (y,i). It remains to show 
that property f) holds, but this is exactly what Lemma 34 does. 
Case 2 (x is a state): Because of the invariant, we know that <^ is of the 
form {l)tp e Ev for some I G LPrg and some tp G Ev. Let v' G W such 
that {v',ip) = chn((Z)^)i = ai+i and y be the successor of {l)tp. By con- 
struction in det-sts-state and the fact that x is open and up-to-date, we 
have altj^ C altx- Using Lemma 32(ii) on y and {l)ip and a> i, we obtain a 

function chn' : Ev (Seq(W^ x Fml)) such that {M,w,v' , chn) realises y 

and chn'(V-') = cr>i+i. In particular wc have i + 1 < |(t| since %lj E Ev. Further- 
more y cannot be closed, either because of y = xi or because of the induction 
hypothesis. We extend oj by {y, i + It remains to show that property ^{y, ip) 
holds which is done in Lemma 34. 

Case 3 (x is a special node): Let v G W and chn : Ev (Seq(W^ x Fml)) 
be a function such that chn((^) = a>i and {M,v,w, chn) realises x. Using 
Lemma 32(iii), either (M, w) realises y := gctChild(.T, cs) or there exists a child y 
of X and an extension chn' of chn such that y is not a state and (M, v, w, chn) 
realises y. In both cases y cannot be closed because of the induction hypothesis. 

If is a not a (Ip)-formula then we consider (p' := annj;((p) which must be 
defined as a; is a special node. We know (p' G Ev since we would have prs^, {(p) = _L 
by construction in det-sts-^ otherwise. As (M, w, chn) annotated-satisfies x, 
wc therefore have chn((y9)i = (w,(p') and hence chn{ip') = chn((/?)>i. Due to the 
invariant we have chn(i^) = a>i and thus chn[ip') = cr>i+i and in particular i + 
1 < \a\. Furthermore we have prs^{(p) = pTs^{ip') by definition of det-sts-state 
and because of Prop. 18(ii). Thus (/?') holds since ^{x,(p) holds. If Lp' is a 
not a (Ip)-formula, we consider ip" := ann^; ((/?') and so on. Since x is open, and 
hence ann^: is non-cyclic, we will eventually obtain a (Ip)-formula {l)ip G Ev for 
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some I G LPrg and some ip € Fml such that ^{x, holds and ch.n{{l)'tp) = 
(J>i+j for some j G INg with i +j < \a\. Since chn', if it is needed, is an extension 
of chn, we also have chn'{{l)tp) = (T>i+j. In particular, we have cr>i+j = {w, (/)V')- 
Note that (p — {l)ip, and thus j = 0, is possible. 

We extend oj by {y,i + j). It remains to show that property holds 
which is shown by Lemma 34 and the established fact that ^{x, {l)tp) holds. □ 

Theorem 36. If it is closed then (p is unsatisfiable. 

Proof. Assume for a contradiction that cp is satisfiablc. Since the dummy atomic 
program d does not occur in (j), it is not too hard to see that {d)<j) is also satisfiable. 
Hence there exists a model M = {W, R, V) and a world w gW such that M, w Ih 
{d)(j). Together with Prop. 18(viii) and the fact that Fj-t = this implies 

that (M, w) realises x which contradicts Lemma 35. □ 
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